You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Handles Ubuntu ESM as a distro `esm` channel, modeled on the existing RHEL EUS
support. When a scanned Ubuntu image is Pro/ESM-enabled, a two-pass match resolves
base disclosures against the ESM-channel fixes, so users see `fixed in ...+esm1`
instead of a bare wont-fix. Non-Pro scans are unchanged: the same CVEs still show
as vulnerable/wont-fix.
Off by default. Turns on when ESM is detected on the scanned OS or via
`--distro ubuntu:XX.YY+esm`.
This consumes the `ubuntu:XX.YY+esm` records the ubuntu vunnel provider now emits.
No DB schema change: the `os` transformer already splits the channel suffix, same
as RHEL EUS.
Note: the Pro/ESM detection this relies on lives in syft (anchore/syft#5028). The
`syft` dependency here is temporarily pinned to that PR's branch, not a released
version, and needs re-pinning once #5028 merges.
FIPS / Realtime / BlueField Pro tiers are intentionally out of scope for now.
Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
descriptions.Add(&o.RedHatEUS, `whether to always enable, disable, or automatically detect when to use Red Hat Extended Update Support (EUS) vulnerability data`)
59
81
descriptions.Add(&o.RedHatEUS.Apply, `whether fixes from this channel should be considered, options are "never", "always", or "auto" (conditionally applied based on SBOM data)`)
82
+
descriptions.Add(&o.UbuntuESM, `whether to always enable, disable, or automatically detect when to use Ubuntu Extended Security Maintenance (ESM / Ubuntu Pro) vulnerability data`)
83
+
descriptions.Add(&o.UbuntuESM.Apply, `whether fixes from this channel should be considered, options are "never", "always", or "auto" (conditionally applied based on SBOM data)`)
0 commit comments